Blame openssl-1.0.0-beta4-client-reneg.patch
|
 |
5b761f5 |
Do not enforce the renegotiation extension on the client - too many broken servers remain.
|
|
|
5b761f5 |
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
|
|
5b761f5 |
--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
|
|
|
5b761f5 |
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
|
|
|
5b761f5 |
@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
|
5b761f5 |
|
|
|
5b761f5 |
if (data >= (d+n-2))
|
|
|
5b761f5 |
{
|
|
|
5b761f5 |
+#if 0
|
|
|
5b761f5 |
/* Because the client does not see any renegotiation during an
|
|
|
5b761f5 |
attack, we must enforce this on all server hellos, even the
|
|
|
5b761f5 |
first */
|
|
|
5b761f5 |
@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
|
5b761f5 |
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
|
5b761f5 |
return 0;
|
|
|
5b761f5 |
}
|
|
|
5b761f5 |
+#endif
|
|
|
5b761f5 |
return 1;
|
|
|
5b761f5 |
}
|
|
|
5b761f5 |
|
|
|
5b761f5 |
@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
|
5b761f5 |
return 0;
|
|
|
5b761f5 |
}
|
|
|
5b761f5 |
|
|
|
5b761f5 |
+#if 0
|
|
|
5b761f5 |
if (!renegotiate_seen
|
|
|
5b761f5 |
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
|
5b761f5 |
{
|
|
|
5b761f5 |
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
|
5b761f5 |
return 0;
|
|
|
5b761f5 |
}
|
|
|
5b761f5 |
+#endif
|
|
|
5b761f5 |
|
|
|
5b761f5 |
if (!s->hit && tlsext_servername == 1)
|
|
|
5b761f5 |
{
|